centos7.4安装jumpserver堡垒机
官网:http://docs.jumpserver.org/zh/docs/step_by_step.html
一、修改字符集
[root@iZbp150ikdomqe3b32qaubZ ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@iZbp150ikdomqe3b32qaubZ ~]# export LC_ALL=zh_CN.UTF-8
[root@iZbp150ikdomqe3b32qaubZ ~]# echo 'LANG=zh_CN.UTF-8' > /etc/locale.conf
注:修改字符集,否则可能报input/output error的问题,因为日志里打印了中文
二、准备Python3和Python虚拟环境
2.1 安装依赖包
[root@iZbp150ikdomqe3b32qaubZ ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
2.2 编译安装
[root@iZbp150ikdomqe3b32qaubZ ~]# cd /opt && wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
--2018-06-05 10:14:07-- https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
正在解析主机 www.python.org (www.python.org)... 151.101.228.223, 2a04:4e42:11::223
正在连接 www.python.org (www.python.org)|151.101.228.223|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:16872064 (16M) [application/octet-stream]
正在保存至: “Python-3.6.1.tar.xz”
100%[===================================================================================================================================================>] 16,872,064 1.63MB/s 用时 8.0s
2018-06-05 10:14:17 (2.02 MB/s) - 已保存 “Python-3.6.1.tar.xz” [16872064/16872064])
[root@iZbp150ikdomqe3b32qaubZ opt]# tar axf Python-3.6.1.tar.xz && cd Python-3.6.1
[root@iZbp150ikdomqe3b32qaubZ Python-3.6.1]# ./configure && make && make install
注:这里必须执行编译安装,否则在安装 Python 库依赖时会有麻烦。如果编译失败,请记得使用命令:make clean all
提示有如下内容,则表示编译成功。
Successfully installed pip-9.0.1 setuptools-28.8.0
2.3 建立Python虚拟环境
因为CentOS6/7自带的是Python2,而Yum等工具依赖原来的Python,为了不扰乱原来的环境我们来使用Python虚拟环境。
[root@iZbp150ikdomqe3b32qaubZ Python-3.6.1]# cd /opt
[root@iZbp150ikdomqe3b32qaubZ opt]# python3 -m venv py3
[root@iZbp150ikdomqe3b32qaubZ opt]# source /opt/py3/bin/activate
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]#
注:看到上面的提示符代表成功,以后运行Jumpserver都要先运行以上source命令,以下所有命令均在该虚拟环境中运行。
2.4 自动载入Python虚拟环境配置
此项仅为懒癌晚期的人员使用,防止运行 Jumpserver 时忘记载入 Python 虚拟环境导致程序无法运行,使用autoenv。
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# cd /opt
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# git clone git://github.com/kennethreitz/autoenv.git
正克隆到 'autoenv'...
remote: Counting objects: 671, done.
remote: Total 671 (delta 0), reused 0 (delta 0), pack-reused 671
接收对象中: 100% (671/671), 103.92 KiB | 107.00 KiB/s, done.
处理 delta 中: 100% (356/356), done.
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# source ~/.bashrc
三、安装jumpserver
3.1 下载或clone项目
项目提交较多 git clone 时较大,你可以选择去 Github 项目页面直接下载zip包。
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# cd /opt/
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# git clone https://github.com/jumpserver/jumpserver.git
正克隆到 'jumpserver'...
remote: Counting objects: 29164, done.
remote: Compressing objects: 100% (290/290), done.
remote: Total 29164 (delta 319), reused 389 (delta 234), pack-reused 28613
接收对象中: 100% (29164/29164), 39.90 MiB | 409.00 KiB/s, done.
处理 delta 中: 100% (20110/20110), done.
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# cd jumpserver && git checkout master
已经位于 'master'
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# cd /opt/jumpserver/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/jumpserver/.env:
autoenv:
autoenv: --- (begin contents) ---------------------------------------
autoenv: source /opt/py3/bin/activate$
autoenv:
autoenv: --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y
注:进入jumpserver目录时将自动载入python 虚拟环境,首次进入jumpserver文件夹会有提示,按y即可。
3.2 安装rpm依赖包
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# cd /opt/jumpserver/requirements/
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# yum -y install $(cat rpm_requirements.txt)
注:如果没有任何报错,则继续。
3.3 安装python库依赖
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# pip install -r requirements.txt
注:如果没有任何报错,则继续。
You are using pip version 9.0.1, however version 10.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
最后提示的内容如上,不知道是否有有错误,暂时待定,继续执行!
3.4 安装redis
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# yum install -y redis
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# systemctl start redis
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# ps -ef | grep redis
redis 21565 1 0 10:39 ? 00:00:00 /usr/bin/redis-server 127.0.0.1:6379
root 21569 4598 0 10:39 pts/0 00:00:00 grep --color=auto redis
注:jumpserver 使用 Redis 做 cache 和 celery broke
3.5 安装mysql
本教程使用Mysql作为数据库,如果不使用Mysql可以跳过相关Mysql安装和配置。
由于本次实验的机器是centos7系统,所以安装的是mariadb数据库。
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# yum -y install mariadb mariadb-devel mariadb-server
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# systemctl start mariadb
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# ps -ef | grep mariadb
mysql 21874 21709 1 10:42 ? 00:00:00 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mariadb/mariadb.log --pid-file=/var/run/mariadb/mariadb.pid --socket=/var/lib/mysql/mysql.sock
root 21914 4598 0 10:42 pts/0 00:00:00 grep --color=auto mariadb
注:如果当前系统是centos6,则执行如下命令:yum -y install mysql mysql-devel mysql-server
3.6 创建数据库jumpserver并授权
MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'zhangyike@123';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> select user,host from mysql.user;
+------------+-------------------------+
| user | host |
+------------+-------------------------+
| jumpserver | 127.0.0.1 |
| root | 127.0.0.1 |
| root | ::1 |
| | izbp150ikdomqe3b32qaubz |
| root | izbp150ikdomqe3b32qaubz |
| | localhost |
| root | localhost |
+------------+-------------------------+
7 rows in set (0.00 sec)
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| jumpserver |
| mysql |
| performance_schema |
| test |
+--------------------+
5 rows in set (0.00 sec)
3.7 安装python3 mysql驱动: mysqlclient
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# pip install mysqlclient
Requirement already satisfied: mysqlclient in /opt/py3/lib/python3.6/site-packages
You are using pip version 9.0.1, however version 10.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# echo $?
0
注:由于MySQLdb库不支持python3.5+,所以选择了mysqlclient作为驱动,pymysql使用python写的,速度较慢。
3.8 修改jumpserver配置文件
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# pwd
/opt/jumpserver
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# cp config_example.py config.py
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# vi config.py
class DevelopmentConfig(Config):
DEBUG = True
DB_ENGINE = 'mysql'
DB_HOST = '127.0.0.1'
DB_PORT = 3306
DB_USER = 'jumpserver'
DB_PASSWORD = 'zhangyike@123'
DB_NAME = 'jumpserver'
class TestConfig(Config):
pass
class ProductionConfig(Config):
pass
# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()
3.9 生成数据库结构和初始化数据
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# cd /opt/jumpserver/utils
(py3) [root@iZbp150ikdomqe3b32qaubZ utils]# bash make_migrations.sh
注:如有一下提示,则执行成功。如果执行失败,请先执行:bash clean_migrations.sh
Applying perms.0001_initial... OK
Applying perms.0002_auto_20180605_1103... OK
Applying sessions.0001_initial... OK
Applying terminal.0001_initial... OK
Applying terminal.0002_auto_20180605_1103... OK
3.10 启动jumpserver
方法一:
(py3) [root@iZbp150ikdomqe3b32qaubZ utils]# cd /opt/jumpserver/
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# ./jms start all
注:
后台运行使用 -d 参数./jms start all -d
运行不报错,请浏览器访问 http://47.97.97.124:8080/(在这里使用默认对外的端口为8080)
默认账号: admin 密码: admin 页面显示不正常先不用处理,搭建nginx代理就可以正常访问了。
jumpserver重启:(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# ./jms restart
经过我的测试,这个时候是访问不了的,当然不用急,操作还未结束!
方法二:
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# cd /opt/jumpserver/
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# python run_server.py
四、安装SSH Server和WebSocket Server: Coco
4.1 下载或clone项目
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# cd /opt
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# source /opt/py3/bin/activate #切莫忘记执行
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master
正克隆到 'coco'...
remote: Counting objects: 1462, done.
remote: Compressing objects: 100% (81/81), done.
remote: Total 1462 (delta 120), reused 152 (delta 105), pack-reused 1276
接收对象中: 100% (1462/1462), 336.00 KiB | 167.00 KiB/s, done.
处理 delta 中: 100% (1021/1021), done.
已经位于 'master'
(py3) [root@iZbp150ikdomqe3b32qaubZ coco]# echo "source /opt/py3/bin/activate" > /opt/coco/.env
(py3) [root@iZbp150ikdomqe3b32qaubZ coco]# cd /opt/coco/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/coco/.env:
autoenv:
autoenv: --- (begin contents) ---------------------------------------
autoenv: source /opt/py3/bin/activate$
autoenv:
autoenv: --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y
注:进入coco目录时将自动载入python虚拟环境,首次进入coco文件夹会有提示,按y即可。
4.2 安装依赖
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# cd /opt/coco/requirements/
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# yum -y install $(cat rpm_requirements.txt)
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# pip install -r requirements.txt -i https://pypi.org/simple
4.3 查看配置文件并运行
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# cd /opt/coco
(py3) [root@iZbp150ikdomqe3b32qaubZ coco]# cp conf_example.py conf.py
(py3) [root@iZbp150ikdomqe3b32qaubZ coco]# ./cocod start -d
Start coco process
注:
1 如果coco与jumpserver分开部署,请手动修改 conf.py
2 ./cocod start # 后台运行使用 -d 参数./cocod start -d
3 新版本更新了运行脚本,使用方式./cocod start|stop|status|restart 后台运行请添加-d参数
由于此处coco与jumpserver是分开部署的,所以需要修改conf.py文件,具体操作如下:
修改前:
# Jumpserver项目的url, api请求注册会使用
# CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080'
修改后:
#Jumpserver项目的url, api请求注册会使用
CORE_HOST = os.environ.get("CORE_HOST") or 'http://47.98.97.124:8080'
重启coco与jumpserver
(py3) [root@iZbp150ikdomqe3b32qaubZ coco]# ./cocod restart
Stop coco process
Start coco process
[root@iZbp150ikdomqe3b32qaubZ ~]# cd /opt/jumpserver/
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# ./jms start all -d
提示如下内容表示启动成功
gunicorn is running: 23269
celery is running: 23286
beat is running: 23287
启动成功后去Jumpserver,会话管理-终端管理(http://47.98.97.124:8080)接受coco的注册
五、安装 Web Terminal 前端: Luna
Luna 已改为纯前端,需要 Nginx 来运行访问
(py3) [root@iZbp150ikdomqe3b32qaubZ coco]# cd /opt
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# wget https://github.com/jumpserver/luna/releases/download/1.3.0/dist.tar.gz
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# tar axf dist.tar.gz
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# mv dist luna
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# ls /opt/luna/
注:由于没有windows服务器管理,所以不需要安装guacamole
六、配置Nginx整合各组件
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# yum -y install nginx
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# cd /etc/nginx/
(py3) [root@iZbp150ikdomqe3b32qaubZ nginx]# cp nginx.conf.default nginx.conf
(py3) [root@iZbp150ikdomqe3b32qaubZ nginx]# vi nginx.conf
user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/;
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/;
}
location /static/ {
root /opt/jumpserver/data/;
}
location /socket.io/ {
proxy_pass http://47.98.97.124:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location / {
proxy_pass http://47.98.97.124:8080;
}
}
}
测试:http://47.98.97.124,这时可以正常访问jumpserver啦!!!